How can we roll out Enterprise Risk Management with a minimal footprint? The answer is to use a principles-based approach. Once High Quality Risk Assessment is grasped, we can turn to an implementation that meets crucial criteria efficiently.
What is ERM in relation to your entire management practise? Conceiving of it as an ancillary practise, a quality check on plans, helps us to keep it lean, rather than a major drain on time and resources.
1. value proposition and cost-benefit analysis – principle: demonstrable worth, self-proven
2. execution plan and time line – principle: organic growth
3. working methods:
– High Quality Risk Assessment – principle: rigour of definitions and procedure
– Enterprise risk aggregation – principle: integrated w planning, management
4. policy, standard and governance – principle: administrative minimalism; clear roles
5. benefits – principle: direct effects vs higher order benefits and eventual outcomes
Please see my book if you want to investigate the following elements of the ERM implementation:
– a communications plan;
– performance and success criteria;
– integrating Business Continuity and Emergency Planning, and other risk management sub-disciplines;
– capability maturity model to assess the level of development of your ERM regime.
How did we maintain a minimal footprint in the implementation?
1. practitioners prove to themselves the value of risk ID in early stages at trial sessions; we don’t force a new practice; we minimize resistance;
2. the roll-out is incremental, not command and control; organic growth similarly prevents wasted investment in time and effort;
3. working methods are effective thanks to the using rigour in definitions and process in risk ID; we don’t use an unstructured and informal discussion of risk;
4. formal elements of the program are not overblown; they are minimal and have a specific utility;
5. benefits are of two kinds: the immediate, observable ones reported by practitioners which justify continued roll-out, vs. long term and eventual outcomes that become discernable over time.
We will continue the discussion always keeping to a principles-based approach. This allows you to consider the principle in question and apply it in your own way, following the requirements of your own particular organizational culture and business.
The next episode will review in a more complete and systematic way the principles of successful ERM implementation.
“Program managers of new initiatives are under pressure to show results, and it is easy (but risky) to communicate promises rather than demonstrate the work. Focus on a low-key approach that relies on evidence of benefits.” (Solving the ERM Puzzle… p.75)
[edited for clarity]
Episode 14: Enterprise Risk Management Implementation with Minimal Footprint.
How can we roll out ERM and still maintain a minimal footprint; that is, not impose a huge burden with regard to time and resources?
The answer is to use a principles-based approach. In this episode what I want to do is cover off many of the elements of the enterprise risk management implementation, and discuss how each one of these encapsulates a principle. If you can find some way of exercising or realizing that principle that is different from what I recommend, then, as I said before, I’m all for it. It’s simply a matter of trying to find the most efficient and effective way to institute a new management practice.
Why am I insisting on this? And what is the significance of principles-based approach? Well, I suggest it in contradistinction to the prescriptive approach — that is, slavishly copying some method that has drawn from somewhere, and expecting to get good results from it, simply because the steps are prescribed to you. They’re telling you what to do, basically. What I’m suggesting, by contrast, is to solve and satisfy certain criteria.
[01:58] So the first principle that I’m addressing, in a general sense, is to characterize enterprise risk management properly. We want to put it in perspective and put it in its proper place with regard to the entire panorama of management practice.
I suggest that enterprise risk management is really a quality control management tool. It’s a check on the quality of your plans, and on the soundness of your intentions to execute on those plans. It doesn’t substitute for research and sound planning.
If enterprise risk management is really, in perspective, an ancillary practice that we add to our management and planning regime, it follows that it has to be minimalist. It has to be efficient and it has to be implemented relatively quickly. So if we accept that’s the general nature and sense of an enterprise risk management program in your organization, then let’s proceed with the minimalist approach to implementation.
[02:51] The first element to be considered in our enterprise risk management implementation plan is the value proposition and cost-benefit.
The costs of the enterprise management program are going to be (in the way that I recommend) relatively modest, especially In comparison to other capital projects that require huge equipment. And we do not, especially, want to invest in IT software to implement the program. I’m going to address that in a later episode. The immediate take-away is that you don’t want to have a huge spend on a software application before you’ve actually proven the method with low tech methods.
[03:27] The immediate costs really involve repurposing time and job functions for personnel. This enables you to carry out trial sessions and prove the value of the method. So there’s no question, we’re going to be asking some people to take some chunk of time out of their regular duties in order to do trial sessions, and to try to prove the benefit of High Quality Risk Assessment. And if we’re successful, we’ll find this repurposed time actually ends up in a transformed management regime that is using its time more efficiently. I believe that is the main cost.
Now with regard to benefit, we can ask: what are the benefits that are promised in the literature? People are talking about reducing volatility; being able to manage enterprise risk, and to perhaps preclude the occurrence of risk events, and so on. I think really it’s best to conceive of benefits in two categories. One is the direct benefits that are observable in the short term or even immediate term. The second one is eventual outcomes, or long term benefits.
The immediate benefit is that people have much more clarity on their goals and objectives and the soundness of their plans. And, of course, this is all by virtue of the fact that we’ve put in the preparatory work, to properly formulate goals and objectives, and substantiate it with environmental scan, and so on. This is not trivial, because this can actually serve to unify people psychologically in their approach to the organization’s business.
Let’s look at this and in more detail. Of course, the obvious benefit is we’re going to be identifying uncertainty, and trying to address the risk that is inherent in the formulated plan. So, this seemingly obvious benefit of identifying risk really breaks down into some interesting categories of faulty thinking.
For example, we start to detect logical flaws in the plans themselves. We start to introduce perhaps fresh thinking and original ideas that had not occurred to the planners before, just by virtue of the fact that they’re scrutinizing the plans in this way. We can start to detect important risk themes… where seemingly disparate events actually unify [have their origin] in one core cause. We can also talk about analyzing and managing what were heretofore intractable, chronic business problems.
[05:45] I can summarize [the above] by saying the quality of thought that is directed to plans by using this process really results in a much more profound understanding of the business. Rich discussion of the organizational plans really constitutes, in a direct and observable way, the benefits of the first stage of enterprise risk management — that is, to implement High Quality Risk Assessment.
In sum: we’ve got a better conceived, substantiated, formulated plan to pursue the core business; we’ve got a regime to permit managers and analysts to systematically discern and analyze the specific uncertainties; and you’ve got risk mitigation plans to manage those uncertainties.
[06:26] Now this is all predicated on two things. First of all you observe the principle in your working method of having rigorous definitions and procedure. That’s what I outlined in High Quality Risk Assessment. It won’t work if you just have an informal, ad hoc discussion about risk. You won’t get these benefits that I’m talking about. The second thing is — and this is the principle of the value proposition itself — it’s the practitioners who come back and report: “Yes, we’re getting a much more profound understanding and clarity on the organization’s business.”
So we’re not telling people what the benefits are. We’re letting people experiment and prove the method to themselves. That’s crucial.
If the people who experiment with this come back and say: “You know, it’s not working for us. There’s really no value here.” Well, at least you’ve got the chance to go back and investigate why: whether it’s in the planning practice; or the risk ID session was not properly prepared or facilitated; or whatever it is.
But at least you have not gone too far down the road of ERM implementation, with a lot of expense, and you haven’t made a lot of promises.
So that’s the value proposition and the cost-benefit, which should be discernible in the early stages of trials of High Quality Risk Assessment, which represent your first efforts at ERM implementation.
[07:40] The second element in ERM implementation is the execution plan and timeline. I believe that it’s much better to use an incremental and experimental approach to any new program. This gives you the best chances for implementation, as opposed to a command-and-control approach, where you’re imposing the new management practice all at once.
The principle that’s operating there is that organic growth is much more effective and ultimately faster than a forced or coerced approach.
This means that it’s up to the discretion of the champion to select program areas that are the most appropriate to work with, [i.e.] people who are willing to experiment with a new method; who might have some sort of chronic problem where they need some special attention in analyzing their program. These are good candidates.
[08:27] The third element in our ERM implementation is the working methods. We’ve already discussed High Quality Risk Assessment at length. The principle there is to make sure that you maintain a rigour of definitions and procedure.
The second part of working methods has to do with risk aggregation. How are you going to conduct risk assessment in various areas across the organization, and then aggregate those results? In general, the answer is that it’s the planning and management regime that will dictate where you conduct risk ID; where you accumulate risk information; and what governs the review of plans and their associated risk assessments.
Another way to state that principle is that we’re not imposing a separate layer of bureaucracy through enterprise risk management; we’re simply integrating risk methods with the existing planning and management regime.
[09:15] The fourth element of our implementation is policy, standard and governance. The principle that I want to adhere to here is simply administrative minimalism.
Let’s start with standard. It makes sense to select a standard to give us some general guideline as to the stages of the risk management process, and to the elements of vocabulary, and various concepts that that people will find useful as references. The great advantage there as you don’t invent the standard, you simply select it. I gave some advice on that back in Ep. #2.
The policy is the thing that devolves from the standard. It is something that you might have to write, but it doesn’t have to be lengthy; it can just be simply an interpretation of the standard for application in your business.
The third element is governance; that’s closely related [to policy]. That’s again something you’ll have to specify, but it needn’t be lengthy. It’s just the idea of setting the roles and responsibilities, and patterns of reporting — integrated, as I said, with the planning and management practice. This way people will have clarity on whether or not they’re actually responsible for developing risk information in a documented form, connected with their program areas.
So you can sketch out a draft of these elements of the more formal planning. But I recommend that you don’t try to implement them in a grand way, before you really prove the value of the method in the earlier stages.
[10:33] The last element of the implementation plan that I wanted to discuss today is the benefits. Now we’ve already characterized benefits as being short term, immediate, on one hand, as opposed to long-term eventual outcomes. That in itself is the principle that you want to observe at this stage.
You want to make sure that you’re able somehow to assess the value, the worthiness of this process in its immediate concrete results, in the eyes of the practitioners… You can prepare for the long-term eventual outcomes of an assessment on that basis, by simply keeping your records and understanding: which risks did you identify or fail to identify?; which mitigation strategies actually were effective?; which risk events actually came to pass? These things are only discernible and measurable over the long term, as you look back on your risk management records for the previous year.
But just to repeat: having divided the benefits into short-term, immediately observable and long-term — that gives you some sort of a reasonable way to assess the quality of the program as you go along.
Well, depending on the type of manager you are and the sort of organization you’re working in, you might find that that’s already an adequate list of the elements of the enterprise management implementation plan.
[11:53] On the other hand if you’re working in large or complex organization, or have a particular interest, you can follow up on these topics in my book:
1. communications plan to share results and celebrate success;
2. performance and success criteria;
3. integrating business continuity and emergency planning, as well as other risk management sub- disciplines;
4. capability maturity model to assess the level of development of your enterprise risk management regime, and perhaps compare that with those of peers.
Well, let’s summarize how we’ve been able to maintain a minimal footprint, at least so far in the narrative, in our efforts to implement enterprise risk management:
1. I insisted on the principle that practitioners prove to themselves the value of the risk identification process rather than simply imposing some supposed benefit upon them. The result of that is we don’t waste time and we don’t get undo push-back, but proceed on the basis that people actually like and value the process;
2. We insisted on the principle of gradual or incremental implementation that, similarly, prevents mal-investment. It prevents wasted time and effort on things that aren’t working;
3. We insisted on a rigorous risk identification process, by virtue of using definitions and clear methods;
4. We use the principle of having the formal elements of the program (that is the policy, the governance and so on) as minimal as possible, not overblown. They are brief and they have a specific utility;
5. The benefits of the program are conceptualized in two categories: one is immediate or at least short term and observable, and the second one is long-term outcome.
Well, hopefully that’s enough information to guide you in your initial efforts for enterprise risk management. Remember we want to be minimalists with regard to administration and expenses. We want to roll this out as efficiently as possible and we want to continue in a principles-based approach. That means you consider the principle; try to apply it to your organization and get the benefit without me telling you in an overly prescriptive way how to proceed. This way you’ll be able to respect the idiosyncrasies in your organizational culture and the requirements of your business.
In the next episode, we’ll review in a more complete and systematic way the principles of successful enterprise risk management implementation. In the meantime, I leave you with this quote:
“Program managers of new initiatives are under pressure to show results. It’s easy, but risky, to communicate promises rather than demonstrate the work. Focus on a low-key approach that relies on evidence of benefits.”